Increased Defacement Activity Using WebDAV Applicationst

Wednesday, September 24, 2008

Priority: MEDIUM

Impact: Website defacement and server compromise through code execution on sites using WebDAV without adequate access controls.

Resolution:

1. Disable WebDAV if it is not needed.
2. Ensure proper authentication controls exist if WebDAV functionality is required.
3. Configure a web application firewall to monitor for attempts to modify content using WebDAV.

Who: Web applications utilizing the WebDAV protocol for distributed authoring (e.g.Microsoft® SharePoint®) and sites relying on Microsoft FrontPage® Server Extensions for content management are potential targets.

What: Frequently, sites that rely on WebDAV for content management are deployed with inadequate authentication mechanisms that allow any Internet user manage site content.

Also, in many cases, WebDAV is enabled in websites even though it is not used.

How: Exploitation of these configuration errors relies on the WebDAV feature that allows content to be uploaded using the PUT request method, as in the following example, which was taken from an actual attack and sanitized:

PUT /index.htm HTTP/1.0
Accept-Language: en-us;q=0.5
Translate: f
Content-Length: 153
User-Agent: Microsoft Data Access Internet Publishing Provider DAV 1.1
Host: www.example.com
<153 bytes of page content>

Such high-privileged actions should only be allowed after both authentication and authorization have taken place. In many sites, however, access is granted with no checks made. This is a long-standing problem, but the ease of exploitation and the ease with which automated tools can be changed and customized groups make it still a relevant one.

In the most common exploitation attempt, the following file names are targeted in a burst, using an automated tool:

/index.htm
/index.html
/home.htm
/home.html
/default.htm
/default.html
/index.asp
/default.asp
/home.asp
/index.php
/default.php
/home.php

Both automated and manual exploitation attempts were recorded.

1. In the automated approach, attackers run tools that constantly search for websites to exploit. The attack instances we have seen skip the detection phase and go for instant, high-impact defacement.
2. Manual operation allows for more subtle exploitation. An attacker can probe for the existence of this problem using a file name that is not used on the site, which would prevent detection if there is no active traffic monitoring in place (e.g. a web application firewall is not deployed to protect the site). Once a site configuration problem is confirmed, the attacker can choose how to exploit the problem, as discussed in the following section.

Impact: Both automated and manual exploitation attempts were recorded.

The following attack scenarios are possible, depending on the motive and the skill of the intruder:

1. Sudden unsophisticated defacement. Usually carried out using automated tools, this type of attack is easily detected.
2. Subtle defacement. Often performed manually, a subtle defacement is more difficult to detect because it usually results in a small change of content or a change that is not normally visible (e.g. a comment embedded in a HTML page).
3. Server compromise through code execution. Code execution on the server, using the server’s identity, is possible on vulnerable websites that also allow for dynamic content creation through scripting (using ASP, ASP.NET, PHP or JSP pages). In such cases, attackers can proceed to explore the server environment and look for ways to escalate to a complete server compromise.
4. Malware distribution. Attackers may use a compromised website to distribute malware and infect site visitors.
5. Search Engine Optimization (SEO) injection. In an SEO injection attack, attackers make subtle changes to site content in order to take advantage of the site’s search engine positioning.

Additionally, organizations impacted by this vulnerability may be classified as out of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Risk: Because this is a recurring problem with many websites and a problem that is being actively exploited using automated tools, we are categorizing this as a MEDIUM severity issue.

Resolution: We recommend all system administrators take the following actions:

1. Make sure that WebDAV is disabled on sites where it is not needed.
2. On sites that require WebDAV for normal operation, make sure that proper access controls are deployed. Such checks should be periodically performed on sites whose configuration was changed.
3. Deploy real-time traffic monitoring controls using web application firewalls. Such measures will allow system administrators to detect reconnaissance attack attempts. Exploits can be prevented with a web application firewall deployed in blocking mode.

How WebDefend Customers Are Protected:
WebDefend customers are protected by default because WebDefend will actively monitor, warn and block (when configured for blocking) upon detecting attempts to use the PUT request method, which is a clear sign of an exploitation attempt.

A separate feature of WebDefend, Change Control, monitors site content and alerts when a page is completely changed or when the structure of the page changes (indicating a possible subtle defacement activity).

Customers should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically that the appliances are configured in a “blocking” mode for these attacks.

Contact:
For more information on this alert, please email support@breach.com.